When IT security is a focal point of the State of the Union address, as it was in President Obama's February speech, government IT pros had better take notice.

Foreign adversaries are "seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems," the president warned. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

Federal government data centers are at the center of this discussion. The systems and databases within those data centers house everything from the personal information of U.S. citizens to law enforcement case records and classified intelligence.

Federal agencies have been shoring up their data center defenses for years, but much more needs to be done. Security experts report not only a growing number of attacks, but also successful breaches. Throwing money at the problem isn't the answer, nor is it an option. The federal IT budget remains flat and sequestration, which went into effect March 1, triggered across-the-board cuts. Federal CIO Steven VanRoekel, in a February interview with InformationWeek Government, warned that sequestration could cause agencies to lose momentum in their efforts to improve cybersecurity. Agency CIOs have to be smart and selective in how they invest their limited resources.

"The problem is much bigger than it was three or four years ago," says Omar Khawaja, head of product marketing for data center operator Verizon Terremark, which provides hosting and cloud services to federal agencies. "You've got more threats, more vulnerabilities and the assets are more critical than ever before."

Shortly after the State of the Union address, Mandiant, a security vendor, released a report that traced a Chinese hacker group, dubbed APT1 and suspected of "economic espionage" against at least 141 companies and government agencies over seven years, to a district in residential Shanghai that's home to a unit of the People's Liberation Army. It was the most detailed in a growing body of evidence that the Chinese military may be involved in probes of U.S. computer systems. The New York Times, Google and Apple all reported security breaches at about the same time.

Federal agencies are targets, too. In February, the Department of Energy revealed that online attackers had penetrated its network and obtained personal information on hundreds of employees and contractors. The department's Joint Cybersecurity Coordination Center and federal law enforcement agencies are investigating the incident. In a memo to employees, DOE recommended that they encrypt all files and emails that contain personal information, including files stored on hard drives or on the shared network.

The Department of Defense, even with its U.S. Cyber Command operations, remains vulnerable as well. The Defense Science Board, a civilian committee that provides scientific and technical advice to the Pentagon, said in a report this month that the DOD isn't prepared to defend against sophisticated international cyber attacks. The report pointed to "inherently insecure architectures," inadequate intelligence and the sheer limits of technology in defending against emerging cyber threats. It encourages the DOD's CIO to work with the military branches to create an enterprise security architecture that includes minimum standards to ensure a "reasonable" level of defensibility and increase the probability that attacks are detected.

Robust data center security starts outside the brick-and-mortar building. Verizon Terremark serves federal customers from a 30-acre complex in northern Virginia that's protected by 12-foot beams, DOD-approved fences, blast-proof walls and motion-sensor cameras. But it's the systems, software and processes inside the data centers used by government agencies -- some owned and operated by contractors, others by the agencies themselves -- that are the urgent focus of federal IT teams.

Certainly a proper identity and access management strategy would be useful to the feds too. At the end of the day "brick and mortar" provisioning and de-provisioning are pretty important. In today's age - and especially for the feds - ADAPTIVE authentication and authorization are hugely important. Someone located in Washington DC trying to access a resource should receive a different response from the systems than if they the same person was trying to access that same resource from China (for example). Maybe they need to use their smartcard or one-time-password device or maybe they just aren't allowed. We need to tie all this stuff together.

Three key takeaways from this article: 1) More money isn't the answer given the fiscal situation. The feds have to come up with ways to defend against new threats across many fronts, but there will be no blank check. 2) The only way to get your arms around the big and growing threat landscape is to make it "smaller." 3) New, innovative approaches are needed. I would add that all three points are interrelated.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.